Privacy Policy

How to read this policy

Voxilo operates a multi-sided SaaS service. To make this policy easier to navigate, we identify the audience for each section:

• Sections marked "[Subscriber]" address business customers who license the Voxilo platform (e.g., HVAC companies, plumbers, dental practices). Their account-level personal information is governed by these sections.
• Sections marked "[Caller]"address consumers ("End Users") who place a phone call to a business that uses Voxilo, and whose voice, transcript, contact details, and post-call SMS opt-in we process on the Subscriber's behalf.
• Sections marked "[Visitor]" address anyone who visits voxilo.ai without calling a Subscriber or signing up.
• The [Caller] sections lead this document because callers are the largest population we touch, and call-handling is the primary product.

If a section applies to all three audiences, we say so.

1. Voice Agent Privacy [Caller]

The Voxilo platform answers a Subscriber's business phone calls with an artificial-intelligence ("AI") voice agent. When you call a phone number routed to Voxilo, you are interacting with our AI agent on behalf of the business you called. This section explains what we collect during that call, how we obtain consent, and how we protect what we collect.

1.1 AI Voice Agent disclosure

At the start of every call, the AI voice agent discloses that:

• The call is being answered by an automated AI assistant, not a human, and
• In two-party-consent states (see §1.3), the call may be recorded.

You may end the call, request a transfer to a human staff member of the business you called, or decline to continue at any time.

1.2 What we collect during a voice call

When you place a call to a Voxilo-powered business, we may collect:

• The phone number you called from (caller ID),
• Audio of the voice call, when you have given recording consent under §1.3,
• A text transcript of the voice call generated by our AI systems,
• Information you provide verbally to the agent (your name, address, the service you need, appointment preferences, contact-channel preferences),
• A verbal-consent record for any recording or SMS opt-in (timestamp, room ID, the specific words the agent spoke, the words you spoke in response, and the decision the system reached),
• Federal and state Do-Not-Call ("DNC") and opt-out status that we look up before sending any post-call SMS, and
• Call-outcome metadata (booking made, callback requested, transferred to human, ended early, etc.).

1.3 Recording consent and two-party-consent states

Federal law (the Federal Wiretap Act, 18 U.S.C. §§ 2510–2522) permits recording of a call when at least one party consents. The Subscriber business — which the Voxilo agent answers on behalf of — is a party to the call and provides that consent.

Some U.S. states require all parties to a call to consent to recording. In those states the agent obtains your explicit recording consent at the start of the call and does not record unless you affirm. The states that require all-party consent for at least some categories of calls — and that the platform treats as "two-party-consent" for purposes of voice recording — include:

California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington.

We treat the area code of your inbound call as the basis for the state determination. If you do not consent to recording in a two-party-consent state, the call will continue without audio recording, and only a text transcript and the metadata listed in §1.2 (excluding the audio recording) will be retained.

1.4 California-specific call privacy (CIPA)

California's Invasion of Privacy Act ("CIPA," Cal. Penal Code §§ 631, 632, and 632.7) is a two-party-consent regime that has been the subject of recent class-action litigation involving AI-powered call services. Voxilo's posture under CIPA is:

• The Voxilo voice agent is operated as a service provider to the Subscriber business that you called. We do not act as an undisclosed third-party listener and we do not use call audio or transcripts for our own marketing, advertising, or model-training purposes (see §3 and §4).
• We disclose the AI agent and obtain explicit recording consent at the start of every California call before any recording begins.
• We retain the verbal-consent evidence (timestamp, transcript excerpt, disclosure spoken, response given, decision reached) for the period stated in §6 to demonstrate compliance.

1.5 What the AI Voice Agent does NOT do

• The AI does not provide medical diagnoses, prescriptions, legal advice, financial advice, or emergency instructions.
• The AI does not capture government identifiers, payment-card numbers, full bank account numbers, or biometric voiceprints intended to identify you.
• The AI does not call out to consumers on the Subscriber's behalf for marketing or telemarketing purposes. Voxilo is an inbound voice answering service.
• For emergencies, hang up and call 9-1-1.

1.6 Voice retention

Voice recordings, transcripts, call summaries, and consent-event records are retained for the periods stated in §6.

2. SMS / Mobile Messaging Privacy [Caller]

A2P 10DLC notice.Voxilo operates a transactional SMS messaging program registered under the Voxilo brand with The Campaign Registry and U.S. mobile carriers under the Application-to-Person ("A2P") 10DLC framework. Wireless carriers review the verbatim text of this section. The phrasing and required disclosures below are kept stable to support that review.

Voxilo operates a transactional SMS messaging program on behalf of the service businesses (HVAC, plumbing, dental, etc.) that license the Voxilo platform. Voxilo is the registered carrier-level sender for every message in this program; the customer business's name appears in every message body so you know which appointment or callback the message refers to.

You opt in to receive these messages by giving verbal consent during a recorded voice call with our AI agent — for example, when you book an appointment or request a callback through the agent and the agent asks "Can I text you the booking link after we hang up?" This section describes how the resulting mobile information is handled.

2.1 What mobile information we collect

When you verbally opt in to SMS during a voice call, we collect:

• Your mobile phone number (the number you called from),
• Your verbal SMS opt-in record (timestamp, room ID, transcript excerpt of the affirmation, the disclosure text the agent spoke, and the consent decision),
• The audio of the consent affirmation as part of the recorded call (subject to two-party recording-consent rules in applicable states — see §1.3),
• The transactional SMS messages we send you (booking confirmation or callback summary),
• Any inbound keyword replies (STOP, HELP, START) and SMS delivery metadata (delivery status, timestamps, carrier responses).

2.2 How we use mobile information

Mobile information is used exclusively to:

• Send a booking confirmation SMS after a voice call in which you booked an appointment,
• Send a callback-summary SMS after a voice call in which you requested a callback (rather than booking immediately),
• Honor opt-out (STOP, UNSUBSCRIBE, CANCEL, END, QUIT, OPTOUT, REVOKE, STOPALL) keyword replies,
• Send the HELP-response message when you reply HELP,
• Send the re-subscribe confirmation when you reply START after a prior STOP, and
• Maintain courtroom-grade consent evidence in case a regulator requests proof that the messages you received were sent under valid TCPA-compliant verbal opt-in.

2.3 Mobile information non-sharing clause

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. This includes phone numbers, SMS opt-in status, and any consent data. Mobile opt-in information is excluded from all data sharing practices described elsewhere in this Privacy Policy.

Mobile information is shared only with:

• The specific Voxilo Subscriber business you called, so they know about the appointment you booked or the callback you requested,
• Our SMS infrastructure provider (Twilio) solely for the purpose of delivering the messages you consented to receive, and
• Law enforcement, if required by valid legal process.

2.4 Message frequency and rates

Message frequency varies. Typical volume is zero or one SMS per voice call you place to a Voxilo-powered business — booking confirmation OR callback summary, never both, and never recurring messages outside that scope. Message and data rates may apply based on your mobile carrier plan. Voxilo does not charge you for SMS messages.

2.5 Opt-out

You may opt out of SMS at any time by replying STOP to any message. You will receive one confirmation message acknowledging the opt-out. No further messages will be sent to your number unless you re-subscribe by replying START AND giving fresh verbal opt-in on a future voice call with the agent.

2.6 Help

Reply HELP to any message to receive contact information and a description of the program.

2.7 Access and deletion

You may request deletion of your mobile information and opt-in records by emailing info@voxilo.ai with the subject line "SMS Data Deletion Request" from the email address associated with your account or by including the phone number you opted in with. Note: opt-out records are retained indefinitely to ensure continued compliance, even after a deletion request — this protects you from being re-contacted in error.

3. AI Processing and AI-Disclosure Laws [Caller, Subscriber]

3.1 What our AI does

Voxilo uses commercial AI APIs (powered by xAI's Grok and Anthropic's Claude) to conduct voice conversations with consumers who call our Subscribers' business phone numbers, and to summarize those conversations for the Subscriber after the call ends. Key facts:

• Voice conversations are conducted by an AI agent, not a human.
• At the start of every call, the AI clearly discloses that it is an automated system.
• The AI does not provide medical diagnoses, legal advice, financial recommendations, or emergency guidance.
• Consumers may request human follow-up at any time during the conversation.
• All AI interactions are subject to platform-side quality scoring and drift detection.

3.2 No general-purpose model training

Voxilo does NOT use your conversation data, personal information, or any Subscriber data to train general-purpose AI models. Conversation data is processed by xAI's and Anthropic's commercial APIs solely for the purpose of generating real-time responses and post-call summaries. xAI's and Anthropic's commercial API terms prohibit the use of API inputs/outputs for general-purpose model training.

We may use anonymized, aggregated conversation metrics (e.g., average conversation length, resolution rates, latency) to operate and improve the Service. This aggregated data cannot be linked back to any individual.

3.3 State AI-disclosure laws

A growing number of U.S. states impose specific consumer-disclosure obligations when an AI system interacts with a person. Voxilo's compliance posture for the laws most relevant to an inbound AI voice agent:

• California — Bots Disclosure Law (Cal. Bus. & Prof. Code § 17941). Requires disclosure when a bot is used to incentivize a sale or transaction with a California resident. Our AI voice agent discloses its automated nature at the start of every call.
• California — AB 2013 (training-data transparency). Applies to developers of generative AI systems. Voxilo is a deployer of third-party AI APIs (xAI and Anthropic) and is not a developer of the underlying generative AI systems.
• Colorado — Consumer Protections for Artificial Intelligence (SB 24-205). Requires that any person doing business in Colorado who deploys an AI system intended to interact with consumers disclose to each consumer that they are interacting with an AI system. The Voxilo agent makes that disclosure at the start of every call. The substantive provisions of SB 24-205 are scheduled to take effect on June 30, 2026.
• Utah — Artificial Intelligence Policy Act (SB 149, as amended by SB 226 and SB 332). Requires any person who causes generative AI to interact with an individual to disclose, when asked, that the individual is interacting with generative AI; and to disclose generative AI use proactively at the beginning of an interaction during a "high-risk" AI interaction (as defined under Utah law). The Voxilo agent makes the proactive disclosure at the start of every call regardless of whether the interaction is high-risk under Utah law.

This list is not exhaustive. State AI-disclosure laws are evolving rapidly. Subscribers in regulated industries are responsible for ensuring their use of Voxilo satisfies any industry-specific or state-specific obligations not covered here.

4. How We Use and Share Information [Subscriber, Caller, Visitor]

4.1 How we use information

• Service delivery. Answering inbound voice calls with the AI agent, qualifying the inquiry, booking appointments, and (when you verbally opt in) sending a single transactional confirmation or callback-summary SMS — all on behalf of the Subscriber business you called.
• Account management. Billing, support, onboarding, and communication with Subscribers.
• Service improvement. Analyzing voice conversation quality, AI performance scoring, drift detection, latency telemetry, and platform reliability monitoring — using anonymized or aggregated data wherever possible.
• Legal and regulatory compliance. TCPA compliance verification, two-party recording-consent recordkeeping, A2P 10DLC compliance, opt-out processing, AI-disclosure recordkeeping, and responding to legal requests.
• Security and abuse prevention. Fraud detection, abuse prevention, and protecting the integrity of the Service.

4.2 How we share information

We do not sell, rent, or trade personal information. We share data only as follows:

• With the specific Subscriber. Caller lead data (name, phone, service need, conversation summary, booking details) is shared only with the Subscriber business the caller actually called.
• With service providers (sub-processors). See §10 for the full list.
• As required by law. Subpoena, court order, regulator request, or to protect our rights and safety.
• In a corporate transaction. Merger, acquisition, or sale of assets, with notice to affected users.

5. Information We Collect Outside a Call [Subscriber, Visitor]

5.1 From Subscribers

• Business name, address, and contact information
• Business license and certification details
• Service areas and operating hours
• Billing and payment information (processed by Stripe)
• Account credentials (managed by Supabase Auth)
• FAQ entries and business-specific configuration

5.2 From Visitors to voxilo.ai

• IP address and approximate geolocation
• Browser type and version
• Device type and operating system
• Pages visited, referral source, and session duration
• Cookies and similar tracking technologies (see our Cookie Policy)

We do not use visitor de-anonymization services (RB2B, Retention.com, or similar), tracking pixels for advertising, fingerprinting technologies, or cross-site advertising tracking.

6. Data Retention [All]

We retain each category for no longer than the period above. An automated retention process runs daily and deletes records once they pass their retention window, unless an active legal hold applies; call audio is additionally deleted from storage at the end of its window. Consent, compliance-check, and opt-out records are retained as evidence beyond the operational data window because deleting them would not be in your interest if a regulator or court later asked whether the messages and recordings were properly consented to. Subscribers with stricter requirements (for example, EU or healthcare-vertical Subscribers) can request tighter per-account retention windows.

7. Your Rights [Caller, Subscriber, Visitor]

7.1 All consumers

• Opt out of SMS communications at any time by replying STOP.
• Request a copy of your conversation transcript or call recording.
• Request deletion of your personal information (subject to the legal retention requirements in §6).

How to make a request. If you have a Voxilo account, you can submit and track access, export, correction, and deletion requests yourself from Your data in your account. Otherwise, email info@voxilo.ai with the type of request. We verify your identity before acting on a request and respond within 30 days of a verified request (extendable by up to 60 days for complex requests, with notice). Deletion covers our own systems — including your call-audio recordings — and we propagate deletion to our service providers (see §10) on request; we never delete records the law requires us to keep as evidence (see §6).

7.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose,
• Request deletion of your personal information,
• Opt out of the sale of personal information (we do not sell personal information),
• Non-discrimination for exercising your privacy rights,
• Correct inaccurate personal information, and
• Limit the use of sensitive personal information.

CIPA-specific rights and remedies are addressed in §1.4.

7.3 EU/EEA residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights including access, rectification, erasure, restriction of processing, data portability, and the right to object. Voxilo acts as a Data Controller for Subscriber account information and as a Data Processor for caller data processed on a Subscriber's instructions; the Subscriber is the Data Controller for that caller data. Contact us at info@voxilo.ai to exercise these rights or to request a copy of our standard Data Processing Addendum (DPA) — see also our Data Processing Addendum and the request process in §7.1 (account holders can self-serve at Your data).

8. Do Not Sell or Share My Personal Information

Voxilo does NOTsell, rent, or share your personal information with third parties for their own marketing or advertising purposes. We have not sold personal information in the preceding 12 months. Because we do not sell personal information, we do not offer a "Do Not Sell" opt-out mechanism — there is nothing to opt out of.

If our data practices change in the future, we will update this policy, provide notice, and implement the required opt-out mechanisms before any such sharing begins.

9. Security [All]

We implement defense-in-depth security measures.

Encryption

• TLS 1.3 for all data in transit (API, webhooks, app traffic, voice signaling, SMS relay)
• AES-256-GCM encryption for personally identifiable information at rest
• Supabase-managed transparent encryption for all database storage

Access controls

• Row-Level Security (RLS) on every database table containing Subscriber or Caller data — no Subscriber can access another Subscriber's data
• Role-based access (admin, operator, Subscriber, dispatcher) with scoped permissions
• Mandatory multi-factor authentication (MFA) for administrative accounts; optional MFA for Subscriber accounts (TOTP, SMS OTP, email OTP)
• All API inputs validated against schema before processing
• All webhook endpoints verify cryptographic signatures before processing

Monitoring and audit

• Structured logging with correlation IDs for every request
• Consent events stored in append-only audit logs (never modified or deleted)
• Compliance engine decisions logged for every outbound message
• Regular dependency vulnerability scanning

Infrastructure

• Hosted on SOC 2-compliant infrastructure providers (Supabase, Railway, Vercel, LiveKit Cloud)
• Separate environments for development, staging, and production
• Secrets managed via environment variables sourced from a centralized secret store

We do not claim SOC 2, ISO 27001, HITRUST, or other independent certifications for Voxilo itself. Our infrastructure providers maintain their own certifications. As Voxilo matures we may pursue our own certifications and will update this section accordingly.

HIPAA and healthcare data

The Voxilo Service at its current base tier is not designed for use with Protected Health Information ("PHI") and does not include a Business Associate Agreement ("BAA"). Healthcare-adjacent Subscribers should not use the base Service for any call that may capture PHI. A future premium tier with HIPAA-compliant architecture and a BAA is on our roadmap; until that tier is available, do not use Voxilo for PHI-bearing calls.

10. Sub-Processors [All]

We use the following third-party service providers to operate the platform. Each plays a specific, documented role and processes only the data needed for that role.

We will update this list and notify affected Subscribers at least 30 days before adding a new sub-processor that handles personal information.

11. International Data Transfers and Residency [All]

Voxilo is based in the United States and provides services primarily to U.S.-based local businesses and their U.S.-based customers. Personal information processed through the Service is stored and processed in the United States.

If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer.

For users in the European Economic Area, we rely on Standard Contractual Clauses ("SCCs") approved by the European Commission as our legal mechanism for data transfers.

12. Data Breach Notification [All]

In the event of a data breach affecting your personal information, we will:

• Notify affected individuals within 30 days of discovering the breach,
• Notify applicable state authorities as required by law (including the New York Attorney General under the NY SHIELD Act),
• Provide a description of the breach, the types of information involved, and steps you can take to protect yourself, and
• Offer appropriate remediation measures.

We maintain an incident response plan and conduct regular dependency vulnerability scanning.

13. Data Portability [Subscriber, Caller]

You may request a copy of your data in a commonly used, machine-readable format (JSON or CSV). Account holders can request an export self-service from Your data; otherwise contact info@voxilo.ai. Upon Subscriber account termination, we provide a final data export within 30 days at no charge.

14. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at info@voxilo.ai.

15. Online Tracking and Do Not Track Signals [Visitor]

Some browsers transmit "Do Not Track" ("DNT") signals. Because there is no industry-accepted standard for how to respond to DNT signals, voxilo.ai does not currently respond to DNT browser signals. We will update this policy if a uniform standard is established.

We use the following analytics tools on voxilo.ai:

• Vercel Analytics — anonymous page-view and performance metrics.
• Supabase — authentication session management.

These services may set cookies as described in our Cookie Policy. We do not participate in advertising networks or behavioral targeting programs.

If you wish to opt out of online tracking by third-party analytics providers, you may:

• Configure your browser to reject non-essential cookies,
• Use browser extensions such as Privacy Badger or uBlock Origin, or
• Visit https://optout.aboutads.info for industry-wide opt-out tools.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Subscribers of material changes via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

17. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

Voxilo
(operated by CraftsmenLeads LLC, Wyoming)
30 N Gould St, Suite R
Sheridan, WY 82801
Email: info@voxilo.ai
Website: voxilo.ai